Planning for Security

Management of Information Security2-1

Chapter 2

Planning for Security

Chapter Overview

In this chapter, the reader will come to recognize the importance of planning and learn the principal components of organizational planning as well as gaining an understanding of the principal components of information security system implementation planning as it functions within the organizational planning scheme.

Chapter Objectives

When you complete this chapter, you will be able to:

Recognize the importance of planning and describe the principal components of organizational planning.
Know and understand the principal components of information security system implementation planning as it functions within the organizational planning scheme.

Introduction

In general, a successful organization depends on proper organizational planning.

In a setting where there are continual constraints on resources, both human and financial, good planning enables an organization to make the most out of the resources at hand.

Planning usually involves groups and organizational processes internal or external to the organization. They can include employees, management, stockholders, other outside stakeholders, the physical environment, the political and legal environment, the competitive environment, and the technological environment.

The major components of a strategic plan include the vision statement, mission statement, strategy, and a series of hierarchical and departmental plans.

Developing the organizational plan for information security depends upon the same planning process.

Since the information security community of interest seeks to influence the broader community in which it operates, the effective information security planner should know how the organizational planning process works so that participation in the process can yield meaningful results.

The dominant means of managing resources in modern organizations, planning is the enumeration of a sequence of action steps intended to achieve specific goals, and then controlling the implementation of these steps.

Planning provides direction for the organization’s future.

Organizational planning should be undertaken using a top-down process in which the organization’s leaders choose the direction and initiatives that the entire organization should pursue.

The primary goal of the organizational planning process is the creation of detailed plans: systematic directions on how to meet the organization’s objectives. This is accomplished with a process that begins with the general end ends with the specific.

Components of Organizational Planning

Mission

The mission statement explicitly declares the business of the organization, as well as its intended areas of operations. It is, in a sense, the organization’s identity card.

The mission statement must explain what the organization does and for whom.

Random Widget Works, Inc. designs and manufactures quality widgets and associated equipment and supplies for use in modern business environments.

The Information Security Department is charged with identifying, assessing, and appropriately managing risks to Company X’s information and information systems. It evaluates the options for dealing with these risks, and works with departments throughout Company X to decide upon and then implement controls that appropriately and proactively respond to these same risks. The Department is also responsible for developing requirements that apply to the entire organization as well as external information systems in which Company X participates [these requirements include policies, standards, and procedures]. The focal point for all matters related to information security, this Department is ultimately responsible for all endeavors within Company X that seek to avoid, prevent, detect, correct, or recover from threats to information or information systems.

Vision

In contrast to the mission statement, which expresses what the organization is, the vision statement expresses what the organization wants to become.

Vision statements therefore should be ambitious; after all, they are meant to express the aspirations of the organization and to serve as a means for visualizing its future.

The vision statement is the best-case scenario for the organization’s future.

Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use.

Values

By establishing a formal set of organizational principles, standards, and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.

Microsoft has a formal employee values statement published on their Web site.

RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments.

The mission, vision, and values statements together provide the philosophical foundation for planning, and also guide the creation of the strategic plan.

Strategy

Strategy, or strategic planning, is the basis for long-term direction for the organization.

Strategic planning in general guides organizational efforts, and focuses resources toward specific, clearly defined goals, in the midst of an ever-changing environment.

“In short, strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”

Planning for the Organization

After an organization develops a general strategy, it creates an overall strategic plan by extrapolating that general strategy into specific strategic plans for major divisions.

Each level of each division translates those objectives into more specific objectives for the level below.

However, in order to execute this broad strategy and turn statement into action, the executive team must first define individual responsibilities.

Planning Levels

Once the organization’s overall strategic plan is translated into strategic goals for each major division or operation, such as the Information Security group, the next step is to translate these strategies into tasks with specific, measurable, achievable and time-bound objectives.

Strategic planning then begins a transformation from general, sweeping statements toward more specific and applied objectives.

Tactical planning has a shorter focus than strategic planning, usually one to three years.

Tactical planning breaks down each applicable strategic goal into a series of incremental objectives.

Managers and employees use the operational plans, which are derived from the tactical plans, to organize the ongoing, day-to-day performance of tasks.

The operational plan includes clearly identified coordination activities across department boundaries, communications requirements, weekly meetings, summaries, progress reports, and associated tasks.

Planning and the CISO

The first priority of the CISO and information security manager should be the structure of a strategic plan.

While each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning are the same.

Elements of a strategic plan

Introduction by the President of the Board or CEO
Executive Summary
Mission Statement and Vision Statement
Organizational Profile and History
Strategic Issues and Core Values
Program Goals and Objectives
Management/Operations Goals and Objectives
Appendices (optional) (strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets etc).”

Some additional tips for planning include:

Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference.
Embrace the use of a balanced scorecard approach, which demands the use of a balanced set of measures and cause & effect thinking.
Deploy a draft high level plan early, and ask for input from stakeholders in the organization.
Make the evolving plan visible.
Make the process invigorating for everyone.
Be persistent.
Make the process continuous.
Provide meaning.
Be yourself.
Lighten up and have some fun.

Planning for Information Security Implementation

The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans information security.

The CISO plays a more active role in the development of the planning details than does the CIO.

The job description for the Information Security Department Manager from Information Security Roles and Responsibilities Made Easy is:

Creates a strategic information security plan with a vision for the future of information security at Company X (utilizing evolving information security technology, this vision meets a variety of objectives such as management's fiduciary and legal responsibilities, customer expectations for secure modern business practices, and the competitive requirements of the marketplace)
Understands the fundamental business activities performed by Company X, and based on this understanding, suggests appropriate information security solutions that uniquely protect these activities
Develops action plans, schedules, budgets, status reports and other top management communications intended to improve the status of information security at Company X

Once the organization’s overall strategic plan has been translated into IT and information security departmental objectives by the CIO, and then further translated into tactical and operational plans by the CISO, the implementation of information security can begin.

Implementation of information security can be accomplished in two ways: bottom-up or top-down.

The bottom-up approach can begin as a grass-roots effort in which systems administrators attempt to improve the security of their systems.

The key advantage to this approach is the technical expertise of the individual administrators, since they work with information systems on a daily basis.

Unfortunately, this approach seldom works, as it lacks a number of critical features, such as coordinated planning from upper management, coordination between departments, and the provision of sufficient resources.

The top-down approach, in contrast, has strong upper management support, a dedicated champion, usually assured funding, a clear planning and implementation process, and the ability to influence organizational culture.

High-level managers provide resources, give direction, issue policies, procedures and processes, dictate the goals and expected outcomes of the project, and determine who is accountable for each of the required actions.

The most successful top-down approach also involves a formal development strategy referred to as the systems development life cycle.

For any top-down approach to succeed, however, high-level management must buy into the effort and provide all departments with their full support.

Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for acceptance throughout the organization.

Involvement and support of the end users is also critical to the success of this type of effort.

Introduction to the Systems Development Life Cycle

The general systems development life cycle (SDLC) is a methodology for the design and implementation of an information system in an organization widely used in IT organizations.

A methodology is a formal approach to solving a problem based on a structured sequence of procedures. Using a methodology ensures a rigorous process, and increases the likelihood of achieving the desired final objective.

The impetus to begin a SDLC-based project may be event-driven, that is, started in response to some event in the business community, inside the organization, or within the ranks of employees, customers or other stakeholders. Or it could be plan-driven, that is, the result of a carefully developed planning strategy.

At the end of each phase, a structured review or reality check takes place, during which the team and its management-level reviewers determine if the project should be continued, discontinued, outsourced, or postponed until additional expertise or organizational knowledge is acquired.

Investigation

It identifies the problem that the system being developed is to solve.

Beginning with an examination of the event or plan that initiates the process, the objectives, constraints, and scope of the project are specified.

A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits.

Analysis

The analysis phase begins with the information learned during the investigation phase. This phase assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed systems.

Analysts determine what the new system is expected to do, and how it will interact with existing systems.

Logical Design

In the logical design phase, the information obtained during the analysis phase is used to create a proposed system-based solution for the business problem.

Based on the business need, the team selects systems and/or applications capable of providing the needed services.

Finally, based on all of the above, the team selects specific types of technical controls that might prove useful when implemented as a physical solution.

The logical design is the implementation independent blueprint for the desired solution.

Physical Design

During the physical design phase, the team selects specific technologies that support the alternatives identified and evaluated in the logical design.

The selected components are evaluated further as a make-or-buy decision, then a final design is chosen that integrates the various required components and technologies.

Implementation

In the implementation phase, the organization’s software engineers develop any software that is not to be purchased, and take steps to create integration modules.

These customized elements are tested and documented.

Users are trained and supporting documentation is created.

Once all components have been tested individually, they are installed and tested.

Maintenance

This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.

Periodically, the system is tested for compliance, and the feasibility of continuance versus discontinuance is evaluated.

Upgrades, updates, and patches are managed.

When the current system can no longer support the changed mission of the organization, it is terminated and a new systems development project is undertaken.

The Security Systems Development Life Cycle (SecSDLC)

The security systems development life cycle (SecSDLC), may differ in several specific activities, but the overall methodology is the same.

The SecSDLC process involves the identification of specific threats and the risks that they represent, and the subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk.

Investigation in the SecSDLC

The investigation phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints.

Frequently, this phase begins with the affirmation or creation of security policies on which the security program of the organization is or will be founded.

Teams of managers, employees, and contractors are assembled to analyze problems, define their scope, specify goals and objectives, and identify any additional constraints not covered in the enterprise security policy.

Finally, an organizational feasibility analysis determines whether the organization has the resources and commitment to conduct a successful security analysis and design.

Analysis in the SecSDLC

The development team created during the investigation phase conducts a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls.

This phase also includes an analysis of relevant legal issues that could affect the design of the security solution.

The risk management task also begins in this stage.

Risk Management

Risk management is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization’s security and to the information stored and processed by the organization.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

To better understand the analysis phase of the SecSDLC, you should know something about the kinds of threats facing organizations in the modern, connected world of information technology (or IT).

In this context, a threat is an object, person, or other entity that represents a constant danger to an asset.

Table 2-1 – Threats to Information Security:

An attack is a deliberate act that exploits a vulnerability.

It is accomplished by a threat agent that damages or steals an organization’s information or physical asset.

An exploit is a technique or mechanism used to compromise a system.

A vulnerability is an identified weakness of a controlled system in which necessary controls are not present orare no longer effective.

An attack is the use of an exploit to achieve the compromise of a controlled system.

Common attacks include:

Malicious code.
Hoaxes.
Back doors.
Password crack.
Brute force.
Dictionary.
Denial-of-service (DoS) and distributed denial-of-service (DDoS).
Spoofing.
Man-in-the-middle
Spam.
Mail bombing.
Sniffer.
Social engineering.
Buffer overflow
Timing.

The last step in knowing the enemy is to find some method of prioritizing the risk posed by each category of threat and its related methods of attack.